From e0e47f5ad5669ba6fb8cdd76fffcf7d45278b71e Mon Sep 17 00:00:00 2001 From: Michael McGloin Date: Wed, 30 Aug 2023 16:19:55 -0400 Subject: [PATCH 1/2] feat(aws-eks): Create method to associate an external oidc provider with eks cluster Implement `associateOpenIdConnectProvider` method in `Cluster` resource. Implement test for connecting an OIDC resource after creating a cluster --- packages/aws-cdk-lib/aws-eks/lib/cluster.ts | 14 ++++++++++++++ .../aws-cdk-lib/aws-eks/test/cluster.test.ts | 17 +++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts index bdfa393e21865..a9ea21078b67f 100644 --- a/packages/aws-cdk-lib/aws-eks/lib/cluster.ts +++ b/packages/aws-cdk-lib/aws-eks/lib/cluster.ts @@ -1869,6 +1869,20 @@ export class Cluster extends ClusterBase { }); } + /** + * Manually associate an `OpenIdConnectProvider` resource to this cluster. Skips the lazy + * allocation of an OpenIdConnectProvider. + * + * @param arn the arn of the OIDC provider + */ + public associateOpenIdConnectProvider(arn: string): iam.IOpenIdConnectProvider { + if (this._openIdConnectProvider) { + throw new Error('Cluster already has an OIDC provider associated.'); + } + this._openIdConnectProvider = OpenIdConnectProvider.fromOpenIdConnectProviderArn(this, 'OpenIdConnectProvider', arn); + return this._openIdConnectProvider; + } + /** * Internal API used by `FargateProfile` to keep inventory of Fargate profiles associated with * this cluster, for the sake of ensuring the profiles are created sequentially. diff --git a/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts b/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts index 368f9f2e0cf5e..ccb008343ac2f 100644 --- a/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts +++ b/packages/aws-cdk-lib/aws-eks/test/cluster.test.ts @@ -2173,6 +2173,23 @@ describe('cluster', () => { }, }); }); + + test('associating an openIdConnectProvider with a cluster after creation', () => { + // GIVEN + const { stack } = testFixtureNoVpc(); + const cluster = new eks.Cluster(stack, 'Cluster', { defaultCapacity: 0, version: CLUSTER_VERSION, prune: false }); + + // WHEN + const provider = cluster.associateOpenIdConnectProvider('arn:aws:iam::1111111:oidc-provider/oid-already-associated-to-cluster'); + const albController = new eks.AlbController(stack, 'albController', { + cluster: cluster, + version: eks.AlbControllerVersion.V2_4_1, + }); + + // THEN + expect(provider).toEqual(cluster.openIdConnectProvider); + }); + test('inference instances are supported', () => { // GIVEN const { stack } = testFixtureNoVpc(); From 0b2eeca63e51cb8b2f784156cd00d591a22b2b6d Mon Sep 17 00:00:00 2001 From: Michael McGloin Date: Wed, 6 Sep 2023 19:27:39 -0400 Subject: [PATCH 2/2] fix(eks): update README to include example of attaching provider to cluster. --- packages/aws-cdk-lib/aws-eks/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/aws-cdk-lib/aws-eks/README.md b/packages/aws-cdk-lib/aws-eks/README.md index a46ceb88dfb1a..cd74f1d419cd0 100644 --- a/packages/aws-cdk-lib/aws-eks/README.md +++ b/packages/aws-cdk-lib/aws-eks/README.md @@ -1116,6 +1116,9 @@ const cluster = eks.Cluster.fromClusterAttributes(this, 'MyCluster', { kubectlRoleArn: 'arn:aws:iam::123456:role/service-role/k8sservicerole', }); +// you can also associate a provider created outside the CDK with an existing cluster +const provider3 = cluster.associateOpenIdConnectProvider('arn:aws:iam::123456:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/AB123456ABC') + const serviceAccount = cluster.addServiceAccount('MyServiceAccount'); const bucket = new s3.Bucket(this, 'Bucket');